Más contenido relacionado La actualidad más candente (18) Similar a RSA E-Commerce Fraud Trends 2013 (20) RSA E-Commerce Fraud Trends 20131. E-COMMERCE FRAUD
TRENDS 2013
Wednesday, Feb. 20th
9:00 AM/EST
Limor S Kessem
Technical Lead, U.S./Canada Toll-Free
1-866-289-3291 PIN: 8272
FraudAction Knowledge Delivery
International Toll
Richard Booth Dial 001-503-295-8000, then
Senior Fraud Technology Consultant enter 866-289-3291 and PIN:
8272
Or listen via your computer
speakers:
Under the Voice & Video tab
select “Join Audio”
© Copyright 2012 EMC Corporation. All rights reserved. 1
2. Agenda
Statistics
Where it all stems from?
How is fraud committed?
How can we protect
ourselves?
© Copyright 2012 EMC Corporation. All rights reserved. 2
3. Global e-commerce 2013
Expected to
total almost
$1 trillion
worldwide in
2013.
© Copyright 2012 EMC Corporation. All rights reserved. 3
4. Europeans shopping online: Top 10
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Source: EuroStat
© Copyright 2012 EMC Corporation. All rights reserved. 4
5. Ecommerce is everywhere…
Consumers are using their
smartphones to bridge the gap
between brick-and-mortar stores and
ecommerce
eBay Mobile
13,161,000 unique
PayPal
shoppers in 1 month
+5m active new
1:04:02 hrs
accounts in 4Q2012,
Fastest rate in 8
years!
© Copyright 2012 EMC Corporation. All rights reserved. 5
6. Losses to e-commerce fraud
Cybercrime costs UK
retailers over £200
million a year (British Retail
Consortium).
Total fraud losses on UK
cards totaled £185 million
between January and June
2012 Payment fraud losses
are only 0.5% of all fraud
losses in the UK
(The UK Cards Association)
Losses incurred on Irish-issued
payment cards show losses of
€25.7 million recorded in 2011
© Copyright 2012 EMC Corporation. All rights reserved. 6
7. Intelligence
= Power
© Copyright 2012 EMC Corporation. All rights reserved. 7
9. The Underground?
The
Underground
World of
Fraud
© Copyright 2012 EMC Corporation. All rights reserved. 9
12. Fraudsters Botmasters
Blackhats
Hacktivists
© Copyright 2012 EMC Corporation. All rights reserved. 12
13. Malware Infrastructure Data vendors
Stolen Data Con artists and
Con artists
programmers Services thieves
and thieves
Vendors
© Copyright 2012 EMC Corporation. All rights reserved. 13
14. E-commerce fraud – The supply chain
Con artists – devise ploys
– Create and deploy social engineering schemes
which include: ecommerce phishing and spam
tactics designed to harvest credentials.
Data trafficking
– Buy, sell and trade in credentials, account
information, card numbers, victim contact details,
PII, credit reports
© Copyright 2012 EMC Corporation. All rights reserved. 14
15. E-commerce fraud – The supply chain
Mule herders
– Recruit and command money mules
– Recruit and command item drop mules
Cashout services
– Offer a variety of options to fraudsters
looking for exchange possibilities and
monetization schemes
© Copyright 2012 EMC Corporation. All rights reserved. 15
16. E-commerce fraud – The supply chain
Forgery service providers
– Create fake documentation – from
statements to ID cards, driving licenses and
passports.
– Provide cloned cards that are a replica of the
real plastic card
Dark shoppers
– Offer purchasing services
– In-store pick-up
– E-commerce fraud tutorials
© Copyright 2012 EMC Corporation. All rights reserved. 16
17. The flow of
events
© Copyright 2012 EMC Corporation. All rights reserved. 17
18. The planning phase
Step #1 – Plan, buy a card… or 100
This happens in deep-web venues
© Copyright 2012 EMC Corporation. All rights reserved. 18
19. E-commerce fraud – Flow of events
Buy data COB Reship Monetize
Time
Verify Shop Resell
validity
© Copyright 2012 EMC Corporation. All rights reserved. 19
20. A market…
Deep (web) conversations
Before… IRC Today… Organized
boards
© Copyright 2012 EMC Corporation. All rights reserved. 20
22. Where are these details purchased?
© Copyright 2012 EMC Corporation. All rights reserved. 22
23. What feeds the stolen data supply?
Classic phishing – aimed at
Phishing attacks
ecommerce merchants
SMShing
Trojan logs
Hacked payment processors
Trojan
Hacked online retailers
injections
Big breaches that expose financial data for
that ask
victim card
Data traffickers who have “warehouses” of
details
information
Trojan plugins designed to grab and parse
CC data
© Copyright 2012 EMC Corporation. All rights reserved. 23
24. Verify card validity: CC Checking
Check via phone merchants
Check via online merchants
Check via adapted checking services
Check inside the CC shops
Check via rogue merchant infrastructures
© Copyright 2012 EMC Corporation. All rights reserved. 24
25. Obtain additional details
Get online access to the card’s account
Attempt to guess/reset the VBV/MSC
Password if need be
Call the bank as needed
© Copyright 2012 EMC Corporation. All rights reserved. 25
26. Get an item-drop mule (reshipping)
The fraud underground has a number of
options to offer thieves:
– Accomplices
– Dark shopper services
– In-store pick up of ordered goods
– Pick your own item drop mule
– A full-service turnkey solution: from buy to
monetize
© Copyright 2012 EMC Corporation. All rights reserved. 26
27. Reshipping mules: Pick one
The herder recruits people to work
Each new “employee” is added to the list
The mule can be picked out online
Each mule is available for a number of
shipments according to the herder’s rules
© Copyright 2012 EMC Corporation. All rights reserved. 27
28. E-commerce fraud – Flow of events
Buy data COB Reship Monetize
Time
Verify Shop Resell
validity
© Copyright 2012 EMC Corporation. All rights reserved. 28
29. The COB – Change of Billing
Goal: change the billing address on the acct
“Enrolls” – attempt to access the card online
Add a shipping address/mailing address
Look for details on the victim
Add a mobile number and email address
Non-native speakers contract underground
services to help them achieve the goal
© Copyright 2012 EMC Corporation. All rights reserved. 29
30. What is ‘Carding’
The fraudulent use of payment cards is
dubbed ‘Carding’
Fraudsters are after easy-to-card merchants
They usually avoid secure, large merchants
Prey on smaller shops and tell their friends
about them
Usually card high-value electronics and
popular goods
© Copyright 2012 EMC Corporation. All rights reserved. 30
31. The action phase: Go shopping
Step #2 – Theft
Happens in e-commerce sites
© Copyright 2012 EMC Corporation. All rights reserved. 31
33. E-commerce fraud – Flow of events
Buy data COB Reship Monetize
Time
Verify Shop Resell
validity
© Copyright 2012 EMC Corporation. All rights reserved. 33
34. Item drop and reship
Step #3 – Ship the goods –
Happens at item drop addresses
© Copyright 2012 EMC Corporation. All rights reserved. 34
35. The mule…
The mule receives the goods at home
The mule prints and re-tickets the item
The mule will reship the item(s)
The fraudster will receive it – or…
The mule herder will receive and sell the
item, then share the loot
In-store pick up mules will go to the shop
and then reship…
© Copyright 2012 EMC Corporation. All rights reserved. 35
36. E-commerce fraud – Flow of events
Buy data COB Reship Monetize
Time
Verify Shop Resell
validity
© Copyright 2012 EMC Corporation. All rights reserved. 36
37. Monetize
Step #4 – Monetize –
Happens between accomplices online/on the
streets
© Copyright 2012 EMC Corporation. All rights reserved. 37
38. Fighting
Fraud
© Copyright 2012 EMC Corporation. All rights reserved. 38
39. Protecting cardholders - Prevention
Banks can tighten security around COBs
Fraudsters fail when VBV/MSC codes cannot
be reset or bypassed, blacklisting BINs
Fraudsters will steer clear of secure
platforms that provide them no added
information (enrollment phase security)
Identity verification over the phone
Card-cloning criminals fail when last 4 digits
of the card must match their plastic
© Copyright 2012 EMC Corporation. All rights reserved. 39
41. Cardholder education is key
Fraudsters will try to enroll cards – they can
be stopped!
– Encourage customers to register their cards to
the online service and be sure to review them
regularly.
Fraudsters dread the premature discovery of
a pending fraudulent delivery/transaction
– Encourage customers to use the alerting
services you offer (email, SMS)
© Copyright 2012 EMC Corporation. All rights reserved. 41
42. Informed customers help prevent fraud
Inform customers about phishing for card
information
Inform customers about shopping via mobile
devices and through apps
– Mobile devices can be just as easily targeted by
phishing and rogue shopping apps as the PC
– Warn customers about downloading shopping
and banking apps from third party websites
© Copyright 2012 EMC Corporation. All rights reserved. 42
43. Cardholders have the power
… to avoid phishing scams by never divulging
financial information online
… to call their bank when they are unsure of
the source of a suspicious email
… to control the shipping process of orders
they placed
© Copyright 2012 EMC Corporation. All rights reserved. 43
44. Cardholders have the power
… to monitor their card when they hand it to
a shop attendant
… to only buy from well-known, reputable
merchants
…to choose to receive alerts when purchases
are processed on their cards
… to regularly review their accounts,
especially during the holidays
© Copyright 2012 EMC Corporation. All rights reserved. 44
45. Deception is only deception
© Copyright 2012 EMC Corporation. All rights reserved. 45
46. Managing
Fraud Risk
© Copyright 2012 EMC Corporation. All rights reserved. 46
47. Threats Occur Across the Entire User
Session
InfoSec
Pre-Authentication Threats
Fraud
Post-Authentication Threats
Beginning of Login Transaction
Web Session and Logout
Account Takeover
Parameter Injection
Site Scraping Man In The Browser
High Risk Checkout
Vulnerability Probing
Password Guessing Unauthorized Account
New Account
DDOS Attacks Registration Fraud Activity Fraudulent Money
Movement
Phishing Attacks
Access From High Risk Country Man In The Middle
Promotion Abuse
© Copyright 2012 EMC Corporation. All rights reserved. 47
48. RSA FraudAction Services
• Anti-Phishing Service
Detect and shut down phishing
sites
• Anti-Trojan Service
Detect and shut down malware
targeting customers
• Anti Rogue App Service -
Detect and shut down rogue
mobile apps
• FraudAction Intelligence
Reports about fraud activities,
trends in the underground
© Copyright 2012 EMC Corporation. All rights reserved. 48
49. SilverTail Web Session Intelligence
Criminals Behave Differently Than
Customers
Velocity
Page Sequence
Origin
Contextual Information
© Copyright 2012 EMC Corporation. All rights reserved.
Anomalous Behavior Detection 49
50. RSA Adaptive Authentication
Transparent real-time fraud detection
and authentication without sacrificing
user experience
Monitor and authenticate both login
and post login activities
Risk based self-learning engine which
rapidly adjusts policies and controls to
predict and protect against future
attacks
Collaborative real-time cross-
institution fraud intelligence sharing
© Copyright 2012 EMC Corporation. All rights reserved. 50
51. RSA Adaptive
Behavior Device Fraud
Authentication
937
271
Policy
Mgr. Authenticate Continue
Risk Engine
Activity details
Knowledge
Challenge
Out-of-
Others
band
Feedback
Step-up Authentication
Feedback
Case Mgmt
© Copyright 2012 EMC Corporation. All rights reserved. 51
52. RSA Adaptive Authentication for eCommerce
• Balance risk, cost and convenience with no
enrollment
• Transparent real-time fraud detection with minimal
impact to card holders user experience
• Risk based system that learns from past behavior and
rapidly adjusts to predict and protect against future
attacks
• Collaborative real-time cross-institution sharing of
fraud-connected data via RSA eFraudNetwork
• Worldwide availability to issuing banks as centrally
hosted service
© Copyright 2012 EMC Corporation. All rights reserved. 52
53. RSA Adaptive Authentication for eCommerce
Transparent • Low risk transparently authenticated - no cardholder engagement
Auth
Mandatory • Risky transactions challenged via KBA, OTP SMS, Data Elements
Auth
Decline • Highest risk transactions are declined
© Copyright 2012 EMC Corporation. All rights reserved. 53